Por Nuno Neves (LASIGE/DI-FCUL).
Federated learning (FL) is a decentralized machine learning technique that allows multiple entities to jointly train a model while preserving dataset privacy. However, its distributed nature has raised various security concerns, which have been addressed by increasingly sophisticated defenses. These protections utilize a range of data sources and metrics to, for example, filter out malicious model updates, ensuring that the impact of attacks is minimized or eliminated.
This paper explores the feasibility of designing a generic attack method capable of installing backdoors in FL while evading a diverse array of defenses. Specifically, we focus on an attacker strategy called MIGO, which aims to produce model updates that subtly blend with legitimate ones. The resulting effect is a gradual integration of a backdoor into the global model, often ensuring its persistence long after the attack concludes, while generating enough ambiguity to hinder the effectiveness of defenses.
MIGO was employed to implant three types of backdoors across five datasets and different model architectures. The results demonstrate the significant threat posed by these back- doors, as MIGO consistently achieved exceptionally high backdoor accuracy (exceeding 90%) while maintaining the utility of the main task. Moreover, MIGO exhibited strong evasion capabilities against ten defenses, including several state-of-the-art methods. When compared to four other attack strategies, MIGO consistently outperformed them across most configurations. Notably, even in extreme scenarios where the attacker controls just 0.1% of the clients, the results indicate that successful backdoor insertion is possible if the attacker can persist for a sufficient number of rounds.
Short bio: Nuno Ferreira Neves is a Professor in the Department of Computer Science at the Faculty of Sciences, University of Lisboa (FCUL). He serves on the Coordination Board of the LASIGE research unit, where he leads the Dependable and Secure Decentralized Systems research line. His research primarily focuses on the security and dependability of distributed systems and networks, with a recent emphasis on machine learning techniques. From 2021 to 2023, he chaired the IEEE Computer Society's Technical Committee on Dependable Computing and Fault Tolerance (TCFT) and is a member of the Steering Committee for the IEEE/IFIP International Conference on Dependable Systems and Networks. With over 150 publications, his work has received several distinctions, including the IBM Scientific Prize, the DSN Test-of-Time Award, and the Best Student Paper at Middleware.
